You did your civic duty and voted. Voting is important. Election results are pouring in and you’re glued to the internet watching the tabulations. This exercise is occurring around the world with regular cadence. Sometimes with outcries of shenanigans.

Now, depending upon where you might be sitting your vote may have been the old-fashioned paper ballot, a mechanical ballot (who will ever forget Florida’s hanging chad?), an electronic ballot or a combination of these.

If we look to Germany, which just finished its parliamentary elections, you will hear and read of how immediately prior to the election the allegation that the PC-Wahl software used to tabulate election results was potentially compromised. Our read of the PC-Wahl pages (using a translator) indicates the software application visualizes results it reads from the vote collecting entity. The folks at PC-Wahl claim there are no issues. The group who discovered the vulnerability say otherwise, and they do indeed appear to have found some lax security processes in the PC-Wahl environment.

According to Reuters, the BSI (German Federal Office for Information Security) noted the ballot manipulation via PC-Wahl was not possible, as the ballots are paper ballots. The agency also admonished PC-Wahl to address the identified security issues. BSI Chief Arne Schoenbohm went on to say, “In the future, only information technology based on BSI-Certified software should be used for election processes.”

It appears the PC-Wahl vulnerability would have allowed manipulation of the presentation of the results, but not the votes themselves. Bottom line, did it matter in the election last week? Apparently not.

As the BSI tells us, the paper ballot provided a modicum of security from vote fraud. Though history buffs will remember with clarity the historical shenanigans which took place in the late 19th and early 20th centuries in Chicago and New York. As Pogo reminded us, “Vote early, vote often” was then a reality.

Meanwhile in Kenya, the Supreme Court of Kenya just overturned the election of president Uhuru Kenyatta. According to the Telegraph, the court found “irregularities and illegalities” in the Aug. 8 election and ordered a fresh election within 60 days.

The court specifically noted that Kenyatta had no involvement in the electoral fraud. Rather, the problem was found to have occurred when a quarter of polling stations failed to file supporting documentation with the results. Which is not near as damning as the claims, reported by CNN, that the Independent Electoral and Boundaries Commission (IEBC) refused to let the court access its processes and data. This led Justice Philomena Mwilu to say she had “no choice but to accept the petitioner’s claims that the IEBC’s IT system was infiltrated and compromised, and the data therein interfered with, or IEBC’s officials themselves interfered with the data.” Infiltration of the IEBC would have allowed tampering with the voting. Shenanigans indeed.

The Sunday Standard tells us that electronic voting machines (EVMs) from India (which are being exported) had been hacked ahead of an election in India.

The allegation is that the machines are susceptible to tampering. In 2010, a domestic study detailed the various vulnerabilities in the briefcase-size machines. In early 2017, the Election Commission of India published its own “Status Paper on Electronic Voting Machines,” noting that the security is good and commission oversight rigorous. In addition, by 2019, every machine will be integrated with a voter-verifiable paper audit trail (VVPAT) mechanism, which has been phased in since 2014.

To demonstrate the security of the EVM, the Indian commission went so far as to arrange a “domestic hackathon” where only teams comprised of Indian nationals would try and hack into the EVM over a period of seven to 10 days. Alas, the event never occurred. However, what did happen was a widespread call of shenanigans in the form of EVM manipulation following the Bharatiya Janata Party’s massive election victory in the state elections conducted in Uttar Pradesh (India).

These EVMs manufactured by India: Did we mention they are being exported?

And then we have the United States. The hoopla surrounding the November 2016 presidential election concerning meddling by a foreign power (Russia) does not include any credible claims that the actual ballot count nor the individual vote was manipulated or adjusted.

What we are seeing, however, is individual counties in various states hiring third-party vendors to inspect and attest to the efficacy of the claimed security features. This is exactly what Linn County in Iowa is doing in response to the Department of Homeland Security (DHS) declaration that voting systems are “critical infrastructure.”

Linn County has had its share of cyber incidents: In August the Linn County auditor inadvertently included social security numbers, which ended up being published. Oops.

Then we have Virginia, which, as a direct result of DefCon 2017 demonstration of how easily the Direct Recording Electronic voting equipment could be manipulated, is in the process of decertifying the voting equipment. Immediately after DefCon, the state’s IT entity, Virginia Information Technology Agency (VIA), was charged with testing all the machines used by the state. Every one of them failed the tests.

To its credit, DHS is offering assistance to states in protecting their election systems. In fact, 33 states have taken DHS up on its offer. We can expect DHS to conduct “penetration testing, social engineering, wireless access discovery and identification, as well as database- and operating system-scanning.” That would be a good start to tie-down our voting and vote tallying systems prior to the next election.

EVMs may be the future for some, but for many, the paper ballot may continue to be the most secure means of casting their vote.

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.